Robert Muir created SOLR-13983:
----------------------------------
Summary: remove or replace process execution in SystemInfoHandler
Key: SOLR-13983
URL: https://issues.apache.org/jira/browse/SOLR-13983
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Robert Muir
SystemInfoHandler is the only place in solr code executing processes.
Since solr is a server/long running process listening to HTTP, ideally process
execution could be disabled (e.g. with security manager). But first this code
needs to be removed or replaced, so that there is no legitimate use of it:
{noformat}
try {
if (!Constants.WINDOWS) {
info.add( "uname", execute( "uname -a" ) );
info.add( "uptime", execute( "uptime" ) );
}
} catch( Exception ex ) {
log.warn("Unable to execute command line tools to get operating system
properties.", ex);
}
return info;
{noformat}
It already looks like its getting data from OS MXbean here, so maybe this logic
is simply outdated or not needed. It seems to be "best-effort" anyway.
Alternatively similar stuff could be fetched by reading from e.g. /proc file
system location if needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
